org.owasp.dependencycheck.maven

Class BaseDependencyCheckMojo

java.lang.Object

org.apache.maven.plugin.AbstractMojo

org.owasp.dependencycheck.maven.BaseDependencyCheckMojo

All Implemented Interfaces:

org.apache.maven.plugin.ContextEnabled, org.apache.maven.plugin.Mojo, org.apache.maven.reporting.MavenReport

Direct Known Subclasses:

AggregateMojo, CheckMojo, PurgeMojo, UpdateMojo

public abstract class BaseDependencyCheckMojo
extends org.apache.maven.plugin.AbstractMojo
implements org.apache.maven.reporting.MavenReport

Author:

Jeremy Long

Field Summary

Fields inherited from interface org.apache.maven.reporting.MavenReport

CATEGORY_PROJECT_INFORMATION, CATEGORY_PROJECT_REPORTS, ROLE

Fields inherited from interface org.apache.maven.plugin.Mojo

ROLE

Constructor Summary

Constructors

Constructor and Description
BaseDependencyCheckMojo()

Method Summary

Modifier and Type	Method and Description
protected void	checkForFailure(Dependency[] dependencies) Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the configuration.
void	execute() Executes dependency-check.
void	generate(org.codehaus.doxia.sink.Sink sink, Locale locale) Deprecated. use generate(org.apache.maven.doxia.sink.Sink, java.util.Locale) instead.
void	generate(org.apache.maven.doxia.sink.Sink sink, Locale locale) Generates the Dependency-Check Site Report.
protected Filter<String>	getArtifactScopeExcluded() Returns the artifact scope excluded filter.
String	getCategoryName() Returns the category name.
protected String	getConnectionString() Returns the connection string.
protected File	getCorrectOutputDirectory() Returns the correct output directory depending on if a site is being executed or not.
protected File	getCorrectOutputDirectory(org.apache.maven.project.MavenProject current) Returns the correct output directory depending on if a site is being executed or not.
protected String	getDataFileContextKey() Returns the key used to store the path to the data file that is saved by writeDataFile().
protected String	getFormat() Returns the report format.
File	getOutputDirectory() Returns the output directory.
protected String	getOutputDirectoryContextKey() Returns the key used to store the path to the output directory.
String	getOutputName() Returns the output name.
protected org.apache.maven.project.MavenProject	getProject() Returns a reference to the current project.
protected List<org.apache.maven.project.MavenProject>	getReactorProjects() Returns the list of Maven Projects in this build.
File	getReportOutputDirectory() Returns the report output directory.
protected Settings	getSettings() Returns the configured settings.
protected Engine	initializeEngine() Initializes a new Engine that can be used for scanning.
boolean	isExternalReport() Returns whether this is an external report.
protected boolean	isFailOnError() Returns if the mojo should fail the build if an exception occurs.
protected boolean	isGeneratingSite() Returns true if the Maven site is being generated.
org.apache.maven.project.ProjectBuildingRequest	newResolveArtifactProjectBuildingRequest()
protected void	populateSettings() Takes the properties supplied and updates the dependency-check settings.
protected void	runCheck() Executes the dependency-check scan and generates the necessary report.
protected ExceptionCollection	scanArtifacts(org.apache.maven.project.MavenProject project, Engine engine) Scans the project's artifacts and adds them to the engine's dependency list.
protected ExceptionCollection	scanArtifacts(org.apache.maven.project.MavenProject project, Engine engine, boolean aggregate) Scans the project's artifacts and adds them to the engine's dependency list.
protected abstract ExceptionCollection	scanDependencies(Engine engine) Scans the dependencies of the projects in aggregate.
void	setReportOutputDirectory(File directory) Sets the Reporting output directory.
protected void	showSummary(org.apache.maven.project.MavenProject mp, Dependency[] dependencies) Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.

Methods inherited from class org.apache.maven.plugin.AbstractMojo

getLog, getPluginContext, setLog, setPluginContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.maven.reporting.MavenReport

canGenerateReport, getDescription, getName

Constructor Detail

BaseDependencyCheckMojo

public BaseDependencyCheckMojo()

Method Detail

execute

public void execute()
             throws org.apache.maven.plugin.MojoExecutionException,
                    org.apache.maven.plugin.MojoFailureException

Executes dependency-check.

Specified by:

execute in interface org.apache.maven.plugin.Mojo

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an exception executing the mojo

org.apache.maven.plugin.MojoFailureException - thrown if dependency-check failed the build

generate

@Deprecated
public final void generate(org.codehaus.doxia.sink.Sink sink,
                                       Locale locale)
                                throws org.apache.maven.reporting.MavenReportException

Deprecated. use generate(org.apache.maven.doxia.sink.Sink, java.util.Locale) instead.

Generates the Dependency-Check Site Report.

Specified by:

generate in interface org.apache.maven.reporting.MavenReport

Parameters:

sink - the sink to write the report to

locale - the locale to use when generating the report

Throws:

org.apache.maven.reporting.MavenReportException - if a maven report exception occurs

isGeneratingSite

protected boolean isGeneratingSite()

Returns true if the Maven site is being generated.

Returns:

true if the Maven site is being generated

getConnectionString

protected String getConnectionString()

Returns the connection string.

Returns:

the connection string

isFailOnError

protected boolean isFailOnError()

Returns if the mojo should fail the build if an exception occurs.

Returns:

whether or not the mojo should fail the build

generate

public void generate(org.apache.maven.doxia.sink.Sink sink,
                     Locale locale)
              throws org.apache.maven.reporting.MavenReportException

Generates the Dependency-Check Site Report.

Parameters:

sink - the sink to write the report to

locale - the locale to use when generating the report

Throws:

org.apache.maven.reporting.MavenReportException - if a maven report exception occurs

getCorrectOutputDirectory

protected File getCorrectOutputDirectory()
                                  throws org.apache.maven.plugin.MojoExecutionException

Returns the correct output directory depending on if a site is being executed or not.

Returns:

the directory to write the report(s)

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an error loading the file path

getCorrectOutputDirectory

protected File getCorrectOutputDirectory(org.apache.maven.project.MavenProject current)

Returns the correct output directory depending on if a site is being executed or not.

Parameters:

current - the Maven project to get the output directory from

Returns:

the directory to write the report(s)

scanArtifacts

protected ExceptionCollection scanArtifacts(org.apache.maven.project.MavenProject project,
                                            Engine engine)

Scans the project's artifacts and adds them to the engine's dependency list.

Parameters:

project - the project to scan the dependencies of

engine - the engine to use to scan the dependencies

Returns:

a collection of exceptions that may have occurred while resolving and scanning the dependencies

scanArtifacts

protected ExceptionCollection scanArtifacts(org.apache.maven.project.MavenProject project,
                                            Engine engine,
                                            boolean aggregate)

Scans the project's artifacts and adds them to the engine's dependency list.

Parameters:

project - the project to scan the dependencies of

engine - the engine to use to scan the dependencies

aggregate - whether the scan is part of an aggregate build

Returns:

a collection of exceptions that may have occurred while resolving and scanning the dependencies

newResolveArtifactProjectBuildingRequest

public org.apache.maven.project.ProjectBuildingRequest newResolveArtifactProjectBuildingRequest()

Returns:

Returns a new ProjectBuildingRequest populated from the current session and the current project remote repositories, used to resolve artifacts.

runCheck

protected void runCheck()
                 throws org.apache.maven.plugin.MojoExecutionException,
                        org.apache.maven.plugin.MojoFailureException

Executes the dependency-check scan and generates the necessary report.

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if there is an exception running the scan

org.apache.maven.plugin.MojoFailureException - thrown if dependency-check is configured to fail the build

scanDependencies

protected abstract ExceptionCollection scanDependencies(Engine engine)
                                                 throws org.apache.maven.plugin.MojoExecutionException

Scans the dependencies of the projects in aggregate.

Parameters:

engine - the engine used to perform the scanning

Returns:

a collection of exceptions

Throws:

org.apache.maven.plugin.MojoExecutionException - thrown if a fatal exception occurs

getReportOutputDirectory

public File getReportOutputDirectory()

Returns the report output directory.

Specified by:

getReportOutputDirectory in interface org.apache.maven.reporting.MavenReport

Returns:

the report output directory

setReportOutputDirectory

public void setReportOutputDirectory(File directory)

Sets the Reporting output directory.

Specified by:

setReportOutputDirectory in interface org.apache.maven.reporting.MavenReport

Parameters:

directory - the output directory

getOutputDirectory

public File getOutputDirectory()

Returns the output directory.

Returns:

the output directory

isExternalReport

public final boolean isExternalReport()

Returns whether this is an external report. This method always returns true.

Specified by:

isExternalReport in interface org.apache.maven.reporting.MavenReport

Returns:

true

getOutputName

public String getOutputName()

Returns the output name.

Specified by:

getOutputName in interface org.apache.maven.reporting.MavenReport

Returns:

the output name

getCategoryName

public String getCategoryName()

Returns the category name.

Specified by:

getCategoryName in interface org.apache.maven.reporting.MavenReport

Returns:

the category name

initializeEngine

protected Engine initializeEngine()
                           throws DatabaseException

Initializes a new Engine that can be used for scanning. This method should only be called in a try-with-resources to ensure that the engine is properly closed.

Returns:

a newly instantiated Engine

Throws:

DatabaseException - thrown if there is a database exception

populateSettings

protected void populateSettings()

Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties required to change the proxy url, port, and connection timeout.

getProject

protected org.apache.maven.project.MavenProject getProject()

Returns a reference to the current project. This method is used instead of auto-binding the project via component annotation in concrete implementations of this. If the child has a @Component MavenProject project; defined then the abstract class (i.e. this class) will not have access to the current project (just the way Maven works with the binding).

Returns:

returns a reference to the current project

getReactorProjects

protected List<org.apache.maven.project.MavenProject> getReactorProjects()

Returns the list of Maven Projects in this build.

Returns:

the list of Maven Projects in this build

getFormat

protected String getFormat()

Returns the report format.

Returns:

the report format

getArtifactScopeExcluded

protected Filter<String> getArtifactScopeExcluded()

Returns the artifact scope excluded filter.

Returns:

the artifact scope excluded filter

getSettings

protected Settings getSettings()

Returns the configured settings.

Returns:

the configured settings

checkForFailure

protected void checkForFailure(Dependency[] dependencies)
                        throws org.apache.maven.plugin.MojoFailureException

Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the configuration.

Parameters:

dependencies - the list of dependency objects

Throws:

org.apache.maven.plugin.MojoFailureException - thrown if a CVSS score is found that is higher then the threshold set

showSummary

protected void showSummary(org.apache.maven.project.MavenProject mp,
                           Dependency[] dependencies)

Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.

Parameters:

mp - the Maven project for which the summary is shown

dependencies - a list of dependency objects

getDataFileContextKey

protected String getDataFileContextKey()

Returns the key used to store the path to the data file that is saved by writeDataFile(). This key is used in the MavenProject.(set|get)ContextValue.

Returns:

the key used to store the path to the data file

getOutputDirectoryContextKey

protected String getOutputDirectoryContextKey()

Returns the key used to store the path to the output directory. When generating the report in the executeAggregateReport() the output directory should be obtained by using this key.

Returns:

the key used to store the path to the output directory